Single Sign-On (SSO)

Single Sign-On (SSO) allows users to log in once with their company credentials (for example, through Okta or Azure AD) and then access Orderful without needing a separate password. This improves security, reduces password fatigue, and makes it easier for IT teams to manage access in one central place.
If you’d like a deeper overview of SSO concepts and benefits, see this article by Cloudflare.

Orderful supports SSO for organizations that want streamlined, secure authentication.

📘

SSO is only available for Integrated organizations.

SSO configuration must be requested through [email protected].

Supported Identity Providers (IdP) / Protocols

• SAML 2.0: Okta, Azure AD, ADFS, OneLogin, etc.
• OIDC (Authorization Code flow): Okta, Auth0, Azure AD, Google Workspace, etc.

📘

If you’re unsure which protocol to use, SAML 2.0 is the most common for enterprise SSO.

Configuration Requirements

To configure SSO, Orderful and your team will need to exchange configuration details.

You provide to Orderful:

• Your IdP metadata (SAML 2.0) or OIDC details.

Orderful provides to you:

• SP / redirect endpoints to configure into your IdP
• A unique SSO login URL for your users.

📘

Automated provisioning via SCIM is not available at this time.

Implementation Workflow

Step 1: Submit your SSO Information

Email [email protected] (cc your Orderful CSM) with the following:

A) Organization & Contact

• Company name:
• Primary SSO contact (name, email):
• Secondary (name, email):
• Support window/timezone (optional):

B) Login Scope & Enforcement

• Domains to associate with SSO (e.g., example.com, example.org):
• Enforce SSO for these domains? (Yes/No)
• Keep a break-glass non-SSO admin account? (Yes/No; email to allowlist)

C) Protocol Choice

• Protocol: SAML 2.0 or OIDC (Auth Code)
• IdP vendor: (Okta/Azure AD/…)
• IdP-initiated login required? (Yes/No; SP-initiated is standard and most secure)

D) Attributes

• User attributes you will send:
  • email (required)
  • firstName (recommended)
  • lastName (recommended)

E) Your IdP Configuration (choose one of the 2 options)

An example SSO request email to Orderful Support would read as follows:

Subject: Orderful SSO Setup —
To: [email protected]

Hello Orderful,
We’d like to enable SSO for Acme Corp. Below are our details:

A) Organization & Contacts
Company: Acme Corp
Primary SSO contact: Jane Smith ([email protected])
Secondary contact: John Doe ([email protected])
Timezone: EST

B) Login Scope & Enforcement
Domains: acme.com
Enforce SSO for all users: Yes
Break-glass admin (non-SSO): [email protected]

C/E) Protocol & IdP Info (SAML 2.0)
Protocol: SAML 2.0
IdP vendor: Okta
Metadata URL: https://acme.okta.com/app/exk123/sso/saml/metadata
Issuer / Entity ID: http://www.okta.com/exk123
SSO Login URL: https://acme.okta.com/app/acme_orderful/exk123/sso/saml
X.509 Certificate:
NameID format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Sign AuthnRequests: Yes
Encrypted assertions: No

D) Attributes & Role Mapping
email → [email protected]
firstName → Jane
lastName → Smith

Please send back the ACS URL & SP Entity ID to complete our IdP config, and our org’s SSO login URL for distribution. Thank you!

❗️

Field names and configuration options aren't standardized and vary by IdP. If something looks different from what we request, check with your IdP to collect the right details.

Step 2: Orderful Configuration

Once your intake form and IdP details are received, Orderful will:

• Create the SSO connection for your organization.
• Share any required SP values.
• If requested, restrict SSO by email domain and/or enforce SSO (disallow user/password sign-ins).

Step 3: Test

• Assign a test user in your IdP to the Orderful app (include groups if you're mapping).
• Use the Orderful login page to initiate a login.
• Upon the first login, check the user account page:
  • The user is created successfully in Orderful on first login (Just-in-Time (JIT) Provisioning).
  • The correct email and display name appears

❗️

We recommend testing with a non-admin user first, then roll out by domain.

All newly provisioned SSO users are assigned a Viewer role at first. Admins can modify the user roles on the Users page.

Step 4: Go-Live

• Assign your user groups in the IdP
• Share the SSO URL internally.
• [Optional] Request SSO enforcement for your domains
• Keep a break-glass non-SSO admin account for IdP outage scenarios

Certificate Rotation / IdP Changes

If you need to rotate certificates or update your IdP config, email [email protected] with the new metadata/certificate in advance of the change. For emergency changes, include both the old and new details plus the planned change time.

Deprovisioning & Lifecycle

Removing a user from Orderful in your IdP blocks future logins.
Active sessions may remain valid briefly; contact [email protected] for faster session revocation.

FAQ

• Can we use IdP-initiated SSO?
  • Yes, on request. SP-initiated is standard; we’ll provide the IdP-initiated details if needed.
• Do you support multiple IdPs per organization?
  • Yes, with routing rules (e.g., by domain).
• What attributes are mandatory?
  • email is required. firstName/lastName (or name) is recommended.
• What if our IdP limits group size?
  • Use purpose-built groups (e.g., Orderful-Admin, Orderful-User) to avoid oversized tokens.